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By  Michael  Synergy 


"Anyone  caught  having 
anything  to  do  with  viruses 
should  be  roasted  on  a  spit 
for  sixty  hours,  their  flesh 
torn  off  in  strips  with  pliers, 
their  families  taxed  into  non- 
existence, and  then  they 
should  be  taken  out  and 

shot" 
-attributed  to  Bill  Atkinson 


Why  would   a  well-fed  software  sultan  even 
take  note  of  an  infidel  hacker's  existence,  let  alone 
want  to  extinguish  it  with  such  fury?     Computer 
viruses.  Computer  viruses  are  the  number  one  health 
alert.   The  industry  is  quaking  in  its  boots.   All  my 
high-tech  sources  are  guarded  when  my  questions 
turn  to  viruses.   They  don't  want  to  talk  on  their 
cellular  phones.   They  don't  want  to  be  quoted. 
Their  eyes  travel  nervously  back  and  forth  like  caged 
animals.   They  have  other  appointments.   They're 
out  to  lunch. 

There's  only  one  person  I  know  with  anything  ap- 
proaching full  knowledge  and  full  candor— Doktor  Ma- 
buse.   I  wait  for  his  call;  he  always  calls  me.   I  don't 
even  have  a  number  for  him.   The  damnable  man  is 
so  slippery  and  theatrical. ..I  shake  my  head  as  I  stroll 
down  Telegraph  Avenue  trolling,  today  as  always,  the 
used  bookshops  for  overlooked  lunkers  lurking  on 
unweeded  lower  shelves.   There's  a  commotion  in 
front  of  the  "Med"  -  dogs  growling... or  is  that  a  dog? 

A  yard-tall  quadruped  covered  with  tufts  of  orange 
fur  in  leopard-spot  pattern  set  against  bare  black  hide 
is  mounting  a  red-bandannaed  generic  Grateful  Dead 
dog  with  a  multicoloured  macrame  bracelet  around  its 
left  forepaw.    Standing  nonchalantly  by,  one  foot  rest- 
ing on  a  skateboard,  is  a  tall  man  sporting  paisley  silk 
boxer  shorts,  kneepads,  and  long  Pernod-tinted  hair 
twisted  into  a  tricorn  fool's  cap  array.   He  is  talking  to 
a  well-known  zealot-eyed  leather-vested  denizen  of 
Telegraph  who  ekes  out  a  living  selling  crystal- 
powered  time  machines  driven  with  three-and-a-half 
inch  floppies. 

"The  tessaract,  you  see,  er,  excuse  me...,"  the  over- 
aged  thrasher  turns  as  the  amatory  growling  begins  to 
drown  out  his  voice.    "Hitler,  I'm  going  to  have  to  get 
you  an  inflatable  dog..." 

There  is  no  mistaking  him. 

"Gruss  Gott,  Herr  Doktor!" 

"Ah,  Morgan!   We  were  just  going  into  the  Med; 
won't  you  join  us?"    We  sit  at  a  round  marble-topped 
table  beneath  the  'NO  DEALING'  sign.    "You  look  dif- 
ferent today,  Doktor." 

"It  would  be  more  surprising  if  I  didn't  look  differ- 
ent. All  part  of  my  head-hunting.  I've  been  recruiting 
talent  among  the  'skate  trash,'  as  they  dub  themselves. 
Amazing  reflexes  they  possess— it  doesn't  matter 
whether  they're  on  a  skateboard  or  a  keyboard.  Sever- 
al rising  stars." 

I  broach  the  subject  of  viruses  as  Mabuse  stirs  two 
packets  of  bright  green  powder  into  his  glass  of  Calis- 
toga  mineral  water  and  dumps  a  handful  of  pills  from 
a  hammered-silver  pillbox.    I  peer  intently  at  the  de- 
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sign~a  pyramid  with  a  shining  eye. 

"Well,  the  West  German  hacker  cabal  known  as 
Chaos  distributed  a  'how-to-make-a-virus'  routine  for 
those  too  deficient  to  design  their  own,   but  that's  a 
crude,  easily-thwarted  stab  for  anarchy.   Viruses,  like 
suits  and  shoes,  are  best  custom-made.   A  much  more 
interesting  and  elegant  virus  than  the  mass-market 
Chaos  model,  is  one  which  a  protege  of  mine  released 
recently.   Manipulation  of  behavior  is  the  best  hack. 
The  virus  is  subliminal.   It  displays  text  for  a  bare 
fraction  of  a  second." 

"What's  the  message?" 

"Oh,  it  alternates  between  'DO  WHAT 
THOU  WILT*  and  'QUESTION  AUTHOR- 
ITY'" 

He  tosses  the  handful  of  pills 
into  his  mouth  and  downs  it  with 
the  emerald  elixir. 

"Mind  if  I  ask  what  kind  of 
pills  those  were?" 

"Ach,  sicher!... Prozac, 
chlorella,  Hydergine..."   He 
glances  up  and  catches  my 
blank  expression.  "Prozac 
potentiates  neurotransmitter 
production  and  has  protein- 
binding  characteristics  which 
are  used  to  full  advantage  by 
taking  it  concommitantly  with 
chorella  which  provides  nineteen 
of  the  twenty-two  amino  acids.   Hy- 
dergine allows  dendrites  to  become 
branchier... which  reminds  me,  I  know 
whom  you  should  talk  to-Michael  Synergy, 
one  of  my  most  able  apprentices.   He  begged  me, 
when  he  was  a  mere  computer  whelpling,  to,  uh, 
'modify'  him  if  it  would  enhance  his  hacking." 

"Modify  him?" 

"Well,  I  gave  Synergy  the  full  treatment:  wrote  him 
prescriptions  for  all  the  smart  pills;  gave  him  all  the  cy- 
bernetic initiations;  I  even  backed  him  up  on  a  main- 
frame in  case  the  NSA  should  get  to  him  and  reformat 
him.   Synergy  has  an  augmented  nervous  system,  so, 
while  he's  chronologically  young,  there's  a  density  to 
his  experience  which  belies  his  years.   He  has,  shall 
we  say,  a  higher  baud-rate  than  most  and  a  much  fat- 
ter interface." 

"What's  his  story?" 

"He's  worked  as  a  hired  gun  since  he  was  fifteen. 


Right:  bad-ass  hacker  - 
jacked  up  &  backed  up. 


He's  even  worked  for  the  government  sporadically, 
but  in  his  heart  of  hearts,  he's  an  anarchist  dedicated 
to  the  revaluation  of  all  values...  " 
"Sounds  terribly  earnest." 
"Oh,  no—he's  a  terrific  prankster— keeps  us  all 
amused.  At  the  age  of  sixteen,  while  under  Crowley's 
spell,  he  shaved  his  head,  filed  his  teeth,  and  created 
the  'DO  WHAT  THOU  WILT'  virus.    He  released  it  at 
the  University  of  Chicago,  allowing  time  for  it  to  dis- 
able hard  disks,  and  then  went  round  offices  and  labs 
offering  to  exorcise  the  computers  with  a  'love  ritu- 
al'...but  here  he  comes  now..." 
A  jumpsuited  figure 
in  black  approaches 
our  table.   I  figure 
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Figure  1 


Table  layout  of  disk  directory 


The  directory  is  the  roadmap  to  the  files 
— file  name,  type,  size,  creation  date,  disk 
location 
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I  need  another  shot  of  espresso.   I  get  up  from  my 
seat  and,  after  the  formalities,  say,  "I'm  going  back  for 
another  doppio  cappuccino.   Anyone  for  a  coffee  or 
dessert?" 

"I  don't  allow  myself  to  ingest  caffeine  or  sugar;  it 
disrupts  my  delicate  neuropeptides,"  Synergy  says  with 
Spocklike  restraint.    Practices  which  are  not  wholly 
life-enhancing  he  simply  jettisons.   I'm  impressed. 

By  the  time  I  return  to  the  table,  Synergy  has 
made  several  diagrams  of  viruses.   And  before  I  leave 


the  cafe,  he's  written  the 
complete  text  of  the   fol- 
lowing article.  In  stunned 
admiration,  I  give  you  the 
Over-man! 

-MORGAN  RUSSELL 

If  the  computer  virus 
epidemic  continues  at  the 
present  rate,   the  progno- 
sis for  our  computer  reali- 
ty is,  as  they  say,  guarded. 
Get  on  all  your  usual  net- 
works and  e-mail  your  last 
words. 

What  is  afflicting  us? 
Something  uncannily  anal- 
ogous to  AIDS:   rebel  programs  that  infiltrate  via  the 
security  systems  themselves.   Simply  put,  computer  vi- 
ruses are  highly  optimized,  highly  specialized  operat- 
ing systems.   They  monitor  traffic  through  storage  and 
interface,  analyzing  the  signals,  looking  for  the  specific 
patterns  that  will  trigger  them  into  action.   What's  it 
going  to  be  then?   Bloody  chaos?   Or  just  a  bit  of  the 
old  self-replication,   all  lying  snug  in  the  host  until  the 
chance  comes  to  forward  a  few  over  the  lines,  or  to 
pack  some  off  on  the  floppy.   They  don't  mind  a  delay 


Figure  2 


Sector  allocation  interleaving 

allows  dynamic  resource 

management. 


Since  DOS  functions  are  'black  boxes'  (transparent  to  the  user 
and  potentially  to  the  programmer),  disk  storage  need  not 
be  contiguous. 
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Figure  3 
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Figure  4 
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until  activation,  and  their  maker  can  be 
far  away  when  they  do  superhero  out. 
This  is  the  ideal  weapon  for  electronic 
terrorism  and  espionage,  the  equivalent 
of  a  suitcase-sized  fusion  device. 

VIRUS  TAXONOMY 

Computer  viruses  can  be  only  loose- 
ly classified  by  their  'host'  computer  sys- 
tem.  Microcomputer  viruses,  for  exam-  H 
pie,  can  vary  across  extremes-from 
'messenger  viruses'  which  display  text  or 
graphics  (from  subliminal  to  annoyingly 
persistent),  through  'hunter/killer'  virus- 
es which  seek  and  destroy  targeted  files 
or  data,  to  'maximum  damage'  viruses 
which  destroy  all  stored  data  and  then 
try  to  ace  the  hardware. 

Hardware  damage  is  possible  with 
an  insider's  knowledge.   The  video  scan 
rate  of  a  VDT  can  be  accelerated  to  pro- 
duce overheating  and  potentially  (in 
some  machines,  inevitably)  a  fire.    Using 
recalibration  routines,   a  virus  can  ram 
the  disk  drive  head  into  the  end  of  the 
alignment  bar,  concussing  it,  and  maybe 
add  some  bonus  points  via  the  comput- 
er's resonant  vibration. 

Damage-oriented  viruses  need  not 
delete  files  or  reformat  disks— they  can 
be  more  subtle  and  insidious.    Lotus  data 
files  could  be  shaved,  the  data  skewed; 
any  computer-stored  data  could  be  syste- 
matically changed.    Code  changes  could 
ruin  the  usefulness  of  a  software  pack- 
age: publishing  software  and  word  pro- 
cessors could  lose  the  ability  to  format 
quality  printing.   Other  programs  are 
susceptible  to  implanted  'bugs'  intended 
to  make  a  customer  dissatisfied,  uncom- 
fortable or  downright  furious  with  a 
product. 

All  the  microcomputer  viruses  can 
live  happily  in  minicomputers  (worksta- 
tions) and  mainframes,  but  the  larger 
machines  can  additionally  incubate  varie- 
ties suited  only  to  their  spacious  environ- 
ment: the  'tapeworms'.   Tapeworms  are 
designed  to  penetrate  and  suborn  the  computer's  se- 
curity systems  and  absorb  data.    Proper  tapeworm  vi- 
ruses can  pyramid  themselves,  expanding  and  replicat- 
ing across  user  accounts  and  networks. 


-a  program  is  encapsulated  to  define  start  and  finish 

-the  prolog  and  epilog  contain  important  information  such  as  where  to  load 

the  file  to  in  memory,  file  length,  where  to  begin  program 

execution,  checksum 
-data  storage  has  not  evolved  much  beyond  papertape 
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a  'salami'  attack  inserts  the  virus  into  the  file  and  changes  the  prolog  data 
to  mask  its  presence. 

(relative  sizes  shown  here  are  not  meant  to  be  significant) 
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Figure  5 


an  optimization  attack,  in  which  the  virus  replaces  non-optimized  code  with 
the  virus  and  a  shorter  routine,  thus  not  changing  the  overall  file  length 
or  functionality 
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SYSTEMS  ANATOMY 

To  understand  viruses,  you  must  understand  how 
disk  operating  systems  work.   When  a  computer  is 
started  up  by  turning  the  power  on  ('coldbooted'),  the 
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Figure  6 
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a  program  calls  a  Macintosh  tool  box  routine 
which  has  been  modified  (to  repair  a  bug),  the 
call  is  intercepted  by  the  ROM  trap,  and  redirect- 
ed to  the  debugged  routine  in  the  system  heap. 
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a  virus  can  intercept  a  subroutine  call  by  being  inserted  on  the 
system  heap,  execute  its  instructions  when  a  routine  is  called, 
then  pass  the  call  off  to  the  debugged  code  on  the  system 
heap  or  the  original  tool  box  routine 


TOOLBOX 
ROUTINE 


disk  drive  controller  (ROM)  'bootstraps'  (loads  a  large 
program  into  memory  by  loading  successively  larger 
sections  of  code  which  then  load  others)  the  operating 
system  into  RAM  and  begins  execution  at  the  designat- 
ed starting  point.   It  is  important  to  note  that  an  oper- 
ating system  is  a  program  just  like  all  others  stored  on 
disk.    Disk  organization  is  a  set  of  concentric  circles 
('tracks'),  subdivided  into  pie-like  sections  ('sectors'), 
on  which  the  data  is  stored.   To  keep  track  of  impor- 
tant information  about  stored  data  (type,  name,  size, 
creation  date,  disk  location  of  first  sector— see  figure 
1),  a  directory  track  is  needed,  usually  located  in  the 
middle  of  the  disk.   When  a  file/program  is  loaded 
from  disk,  it  is  again  bootstrapped.   This  is  due  to  sec- 
tor allocation  interleaving  ('soft  partitioning'— see  figure 
2)  which  allows  dynamic  management  of  non- 
contiguous disk  storage  space.   A  program  is  stored 
on  disk  much  like  a  glorified  paper  tape.   There  is  a 
prolog,  which  identifies  the  start  of  the  file,  the  length, 
and  the  point  in  memory  it  is  to  be  loaded  to.   The 
body  of  the  program  follows,  and  it  is  immediately  fol- 
lowed by  the  epilog,  signalling  the  end  of  the  program 
and  a  checksum  to  insure  an  accurate  load  (see  figure 
3).   Structured  in  such  a  way,  the  DOS  and  files  stored 
under  it  are  open  to  a  viral  attack. 


ICING  THE  BODY  ELECTRIC 

A  virus  which  finds  an  uninfected  program  can 
use  a  variety  of  ways  to  insert  itself.   A  'salami'  model 
is  the  most  common:   the  virus  splits  the  program  and 
inserts  itself  at  a  convenient  point,  usually  at  the  very 
beginning  of  the  code  (see  figure  4).  A  more  subtle 
approach  is  possible,  where  the  virus  inhabits  only 
certain  programs  (such  as  operating  systems)  by  re- 
placing a  section  of  seldom-used  code,  or  replacing  a 
section  of  sloppy  code  with  a  tighter  version  coupled 
with  the  virus  code  (see  figure  5).    Buffer  areas  are 
also  easy  targets  for  a  virus  to  inhabit. 

Viruses  can  do  their  damage  only  if  they  have 
control  of  the  processor.   As  DOS  is  automatically  exe- 
cuted at  boot,  viruses  with  hooks  in  the  OS  are  best 
able  to  do  damage.    Programs  with  viruses  injected 
spread  the  infection,  since  they  can  be  exchanged  via 
disk  or  modem.   The  initial  'vector'  by  which  a  virus 
invades  a  computer  is  usually  some  attractive  program 
such  as  a  utility  (an  anti-virus  program  for  instance),   a 
game  or  some  irresistible  computerized  pornography. 
In  IBM-DOS,  the  system  utilities  are  standard  pro- 
grams—always present,  and  identical  across  DOS  ver- 
sions; an  easy  vector.   On  the  Macintosh,  the  ROM 
trap  reroutes  toolbox  calls  and  redirects  them  to  the 
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Figure  7 


The  Multics  model  of  security  -  the  closer  to  the  core  (depth  0),  the 

greater  the  abilities  of  the  user  and  programs,  and  the  more  'sensitive' 

the  information.  Security  rings  stop  the  flow  of  data  from  secure  rings  to 

unsecure  rings. 


A  virus  replicates  when  used  by  a  user  with  access 
to  inner,  more  secure,  rings. 
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transmission  pathways  could  be  the  protection  bits  on  a  file  (such  as  a  mailbox)  which  both 
viruses  can  access,  acting  as  a  data  channel.  Vg  can  transmit  data  it  now  has  access  to  (such 

as  password  files  or  confidential  data)  for  use  by  V2- 


system  heap,  wherein  viruses  may  lurk  (see  figure  6). 

Mac  viruses  can  be  whipped  up  from  the  system 
BIOS  (IBM  Reference  Manuals)  and  the  Macintosh 
toolkit,  released  as  a  limited  concession  to  the  'open' 
architecture  philosophy.   The  'closed'  system  architec- 
ture, also  present  in  both  machines,   complicates  mat- 
ters.  Systems  calls  are  'black  boxes'  and  great  sections 
of  both  machines  are  undocumented,  allowing  techni- 
cally savvy  programmers  to  create  undetectable  virus- 
es that  exploit  this  obfuscation  for  their  own  protec- 
tion.  80286  and  80386  architecture  will  also  allow 
viruses  to  remain  undetected  through  the  virtual- 
machine  capabilities  of  the  chips.  If  software  were  to 
run  in  the  'protected'  mode,  viruses  would  be  much 
more  difficult  to  implement  on  the  IBM-PC  line,  but 
DOS  cannot  be  run  in  the  'protected'  mode.   Operat- 
ing systems  are  open  enough  to  allow  virus  designers 
to  create  viruses,  but  closed  enough  to  cause  a  'securi- 
ty through  obfuscation'  for  the  viral  code  and  prevent 
easy  detection  of  infection. 

Viruses  can  commit  acts  of  vandalism,  or  engage 
in  industrial  espionage  or  military  incursions.   The 
battle  between  corporations  for  market  share  has  led 
to  the  use  of  viruses  as  an  espionage  tool.   Large  com- 
puter software  manufacturers  may  target  the  software 


of  public  domain  or  'shareware'  authors  to  eliminate 
the  competition.    Hunter/killer  viruses  are  being  used 
to  seek  Microsoft  product  and  Lotus  data  files  and 
erase  them.   Microsoft  and  Lotus  are  targets  due  to 
their  unpopular  pursuit  of  near-monopoly  power, 
which  greatly  hinders  innovation  within  the  computer 
industry. 

SEARCH  AND  DESTROY 

Hunter/killer  viruses  are  used  as  a  guerrilla  weap- 
on to  express  the  displeasure  of  their  creators  with  a 
'closed  shop'.   A  disgruntled  employee  of  Electronic 
Data  Systems  (EDS)  wrote  a  virus  intended  to  wipe 
out  the  in-house  software.   This  'scores'  virus,  intend- 
ed to  damage  EDS,  in  fact  did  little  or  no  damage,  if 
EDS  reports  are  to  be  believed.   Many  other  sites  have 
been  hurt,  however— Apple,  IBM,  defense  contractors- 
even  Stephen  Wolfram's  Mathematica  was  used  as  a 
vector,  causing  damage  at  the  product's  beta-test  sites. 
Security  consultants  representing  companies  are  con- 
tractually obligated  to  talk  a  hard  line— to  deny  that 
any  damage  has  occurred:   corporate  image  and  stock 
values  are  at  stake.   Manipulation  of  stocks  for  profit 
through  the  release  of  viruses  and  the  information 
they  are  doing  damage  is  entirely  possible  and  would 
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Figure  8 

This  code  is  executing  on  the  host  computer. 

These  sections  of  code  are  stored  as  data,  encap*sulated  from  the  module  which  is 
executing. 

When  the  virus  infects  another  computer,  it  undergoes  a  topological  transformation,  spool- 
ing the  proper  module  first  and  insulating  the  remaining  modules  as  data. 

For  instance,  the  polymorphous  configuration  shown  above  (executing  on  a  DEC  system) 
would  spool  the  HP  module  into  the  active  position  and  then  port  the  rest  of  the  modules 
using  the  active  module  as  a  gateway. 

This  ability  allows  sophisticated  viruses  to  cross  barriers  assumed  able  to  stop  them, 
whether  between  micro's,  minis  or  mainframes. 
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be  extremely  difficult  for  SEC  to  pursue.    Blackmail  of 
corporations  or  governments  enters  a  new  dimension 
with  the  use  of  viruses.   Clearly,  the  next  wave  of 
profitable  computer  crime  will  involve  the  use  of  vi- 
ruses or  tapeworms. 

MILITARY  AND  COUNTER-MILITARY 

Although  military  viruses  might  seem  to  be  in  the 
realm  of  science  fiction,  they  have  already  been  imple- 
mented.   Israeli  computer  systems  governing  the  Gaza 
strip  occupation  have  been  successfully  attacked  by  vi- 
ruses which  destroyed  birth  records,  population  con- 
trol data,  operations  plans— the  information  necessary 
to  maintain  the  suppression  of  the  inhabitants  of  the 
region. 

The   infiltration  of  civilian  computers  with  viruses 
designed  to  be  activated  on  a  future  occasion  has  ob- 
vious usefulness  to  military  organizations.   The  Swift 
Telex  International  Funds  Transfer  computers,  Missile 
Control  computers  (both  U.S.  and  Soviet),  cryptogra- 
phy computers,  telecommunications  computers  (Elec- 
tronic Switching  Systems)  all  provide  vulnerable  tar- 
gets of  opportunity.    In  the  event  of  a  first  strike  or 
invasion,  a  virus  to  'soften  up'  the  enemy  must  be 
viewed  as  the  first  logical  step  in  the  electronic  war- 


fare arena.   The  Pentagon's  decontamination  drill  com- 
mands the  destruction  of  disks  presumed  infected,  and 
the  literal  bulldozing  of  hard  drives.   No  nation's  mis- 
sile computers  (or  SDI  systems)  are  safe  when  a  virus 
could  turn  the  swords  into  plowshares. 

Chaos  would  follow  targetting  the  IRS  computers 
to  destroy  records  selectively  or  wholesale.   The  likeli- 
hood of  such  a  penetration  is  almost  a  certainty. 

HERE  THERE  BE  TAPEWORMS 

Viruses  are  not  necessarily  designed  only  for  dam- 
age.  A  tapeworm  is  the  next  level  of  computer  pene- 
tration, taking  advantage  of  computer  virus  theory  and 
programming  techniques  generated  by  artificial  intelli- 
gence research.   A  tapeworm  is  a  program  structure 
with  a  head,  a  body,  and  a  tail.   The  head  contains 
penetration  programming  and  a  pattern  matcher,  the 
body  is  an  expandable  encapsulated  area  designated 
to  contain  the  data  used  by  the  head  and  the  data  ac- 
quired using  the  pattern  matcher,  and  the  tail  is  the 
success  qualifier  which  directs  a  change  in  action  for 
the  tapeworm.   A  tapeworm  is  highly  useful  for  a  'cov- 
ert channel'  attack.    It  can  be  introduced  into  a  target 
computer  and  linked  lamprey-style  to  a  commonly 
used  program  (mail  or  spool  demon)  through  an  ac- 
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Figure  9 


A  3  by  3  matrix  of  processors  have  a  difficult  problem  acting  in  parallel  -  global 
communication  (between  non-adjacent  processors)  ties  up  processors  which 
should  be  working  on  their  sections  of  programming.  This  problem  gets  much 
worse  as  the  matrix  increases. 

Viruses  could  inhabit  each  processor,  growing  and  dying  off  as  needed  on  a  local 
level,  in  neural  network  fashion.  Locality  is  defined  by  connectivity. 


Autonomous  processors  with  locality  for  a 
neural  network  defined  by  connectivity  (sym- 
bolic through  processor  addresses  used  by 
communication  processors).  Viruses  replicate 
to  form  nodes  (inhabit  processors)  as  neces- 
sary. Topological  connectivity  is  not  needed. 

Communication  processors  -  inhabited  by 
tapeworms  sent  to  the  local  processor. 

Optical  pathway  -  messages  (tapeworms)  are 
transmited  in  both  directions. 


Cj 


(could  be  arrayed  as  a  compressed  spiral  to 

optimize  to  the  advantages  of  lightspeed 

communication  pathways) 


count  without  privileges.   The  tapeworm  will  eventu 

ally  cross  a  security  level,  most  likely  through  its  exe 

cution  by  a  super-user.   The  tapeworm  can,  at  this 

point,  transmit  data  back  to 

the  public-access  tape-  ^^^ 

worm,  which  will  store  it. 

The  semaphore  between 

them  would  be  a  file  (such 

as  a  mail  record),  with  the 

protection  bits  used  as  a 

single-byte  data  channel  by 

the  transmitting  virus. 

Thus,  computer  security 

mechanisms  (such  as  those  in  the  Multics  model)  can 

actually  be  used  to  further  the  ends  of  the  virus  (see 

figure  7). 

THE  POLYMORPHS 

Computer  networks  that  are  collections  of  various 
manufacturers'  systems  are  accessible  to  attack  by  pol- 
ymorphous viruses.   Viruses  of  this  type  take  advan- 
tage of  a  transparent  fact  of  data  storage:   all  data  is 
stored  alike,  whether  it's  programming,  text,  graphics, 
or  anything  else  storeable.   A  polymorphous  virus  has 
a  perverse  adaptability.    Its  active  module  runs  code 


A  tapeworm 
is  highly  useful  for  a  'covert 
channel'  attack 


that  recognizes  the  computer  it  is  infecting;  it  adjusts 
itself  to  conform  to  the  specs  of  the  system  it  rides, 
transforming  its  once  unexecutable  data  into  the  active 

module  on  the  new  host. 
^^^^  Such  a  virus  can  spread  to 

computers  made  by  differ- 
ent manufacturers  or  with 
different  processors  (see 
figure  8). 


GROWING  YOUR  OWN 

^^™~~  VIRUSES 

For  non-technical  van- 
dals who  want  to  cause  chaos,  a  viral  toolkit  has  been 
written  by  a  group  of  West  Germans  (distance  means 
nothing  to  a  computer  hacker).   The  creator  of  a  virus 
has  only  a  few  major  choices  to  make— how  and 
where  will  it  merge  with  files  and  the  operating  sys- 
tem, which  trigger  will  cause  activation,  and  what  kind 
of  havoc  will  be  wrought— will  it  ignite  monitors,  spon- 
taneously abort  laserprinting,  or  mutate  graphics?   De- 
tection must  be  considered:   the  more  elaborate  a  vi- 
rus' mission,  the  larger  it  must  be,  and  the  easier  it  will 
be  to  detect. 

A  small  virus  is  a  less  detectable  virus—a  needle  in 
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GIVE  ME  A  COOKIE...  OR  ELSE!    The  PLATO  net- 
work contained  a  novel  and  'friendly'  virus,  called 
Cookie.  Whenever  a  user  engaged  in  text-entry  (the 
programs  targeted  by  this  virus),  at  random  intervals 
the  message,  "Give  me  a  cookie!"  would  appear.  Im- 
mediately typing  "cookie"  would  banish  the  virus  for  a 
while,  but  failing  to  appease  its  appetite  would  cause 
lock-out  from  the  work,  or  deletion  of  random  text. 
Cookie  later  migrated  to  printer  drivers  where  it  would 
put  "Give  me  a  cookie!"  into  the  formatted  output  from 
the  system.  This  minor  annoyance  has  also  been  im- 
plemented on  DEC  systems. 


a  hay  stack  of  uninterpretable  code.    Larger  viruses  are 
harder  to  hide  in  code,  their  'salami'  techniques  are 
easier  to  spot,  patterns  of  code  are  more  likely  to  be 
matchable,  checksums  are  harder  to  fool  or  pad  out. 
The  maxim  goes:   small  viruses  are  stoppable,  larger 
viruses  are  detectable.  Of  course,  size  is  relative-- 
'small'  undetectable  viruses  on  microcomputers  need 
to  be  shorter  than  a  few  hundred  bytes,  while  on 
mini's  and  mainframes  the  viruses  can  be  thousands  of 
bytes  long,  a  needle  in  a  much  larger  haystack.   Tape- 
worms, for  instance,  have  little  utility  for  microcom- 
puters, but  gain  immense  power  with  the  resources 
available  on  larger  systems. 

LITTLE  TRIGGERS 

Time-triggered  viruses  such  as  the  "Friday  the 
13th"  virus  are  easily  detected  by  scanning  for  clock 
chip  access  or  for  the  pattern  matcher's  comparison 
string.   In  fact,  a  properly  designed  virus  will  carry  no 
text  string,  since  text  and  graphics  can  be  identified 
with  a  variety  of  utilities;  classical  messenger  viruses 
are  mercilessly  spotlighted.    De- worming  cycle  checks 
can  get  you;  they  just  advance  the  time  setting  at  soft- 
ware speeds  and  wait  for  the  viruses  to  pop  out.   Sim- 
ply bypassing  the  activation  date  (April  1st,  for  sure) 
will  make  these  viral  triggers  worthless. 

Viral  triggers  can  be  smarter.   A  virus  can  be 
subtle.   A  virus  can  always  wait:   for  a  certain  number 
of  accesses  to  a  file  or  disk;  for  specific  characters  or 
commands  from  the  interface  devices;  for  a  target  soft- 
ware house  product  or  data  file  to  be  loaded;  for  a 
single  random  byte  on  a  disk  to  change  value;  for  a 
certain  amount  of  disk  space  to  be  used. 

THE  ELEGANT  PARASITE 

Subtle  viruses  can  be  programmed  to  be  self- 
limiting,  to  strike  only  certain  targets  in  certain  ways 


and  not  betray  their  presence  by  an  unlimited  growth 
pattern.  All  function  calls  made  by  a  virus  can  use  a 
depth  of  indirect  reference,  making  a  scan  for  com- 
mon calls  useless.   Its  size  and  code  should  never 
change,  preventing  checksums  and  file  length  checks 
from  finding  it.   It  is  entirely  possible  to  write  a  virus 
that  will  use  bootstrap  hooks  to  load  itself  in  from 
'unformatted'  disk  areas.  The  game  of  cat  and  mouse 
between  viral  and  anti-viral  programs  will  usually  be 
won  by  viruses,  since  they  are  custom  written  and  can 
avoid  the  common  traps. 

ARE  YOU  HAVING  AN  OUT-OF-ANTIBODY 
EXPERIENCE? 

Anti-viral  agents  which  simply  execute  a  one-to- 
one  comparison  on  a  system  are  simply  useless.  They 
need  a  'clean'  system  as  a  control,  which  cannot  be  as- 
sumed to  be  available.  A  system  'snapshot'  used  to 
compare  for  changes  is  worthless-it  is  negated  by  any 
change  in  the  system,  is  as  large  as  the  system  itself 
(megabytes  in  most  cases),  and  must  become  memo- 
ry-resident and  thereby  itself  vulnerable  to  tampering. 
In  fact,  all  commercial  anti-viral  programs  are  useless, 
in  time.  As  viruses  are  customized  and  can  be  written 
to  evade  searches  by  antibodies,  so  anti-viral  program- 
ming must  be  custom  written.   Concerned  users 
should  create  their  own  code;  such  decentralized  and 
varied  techniques  can  outmaneuver  viruses  designed 
to  slip  through  the  usual  cracks,  to  evade  'standard' 
search  patterns.   Consider  the  hybrid  cloned  wheat 
crop.   Homogeneity  makes  for  a  standardized  product, 
but  a  single  (biological)  virus  could  blast  the  entire 
crop.    Genetic  diversity,  more  than  just  a  good  idea... 

PURGING  YOUR  SYSTEM 

The  key  to  stopping  viruses  is  two-fold.  A  virus 
can't  do  any  harm  unless  it  has  control  of  the  proces- 
sor.  Also,  it  can't  damage  a  disk  if  it's  blocked,  either 
by  a  write  protect  (hard  partitioning  for  hard  drives)  or 
by  the  absence  of  important  system  subroutines  such 
as  formatting  or  deleting  utilities. 

The  first  step  you  can  take  to  stop  viruses  is  to  re- 
move file  management  calls  from  the  operating  system 
and  isolate  them  on  a  disk  for  use  only  on  an  external 
drive.  Write-protect  this  disk  so  a  virus  can't  infect  it. 
Always  coldboot  the  computer— turn  the  power  off  and 
back  on  before  and  after  use.  This  prevents  memory- 
resident  viruses  from  accessing  the  routines.   Since  this 
one  disk  is  now  your  main  maintenance  disk,  thor- 
oughly examine  it  for  viruses.   Viruses  must  either  tar- 
get this  disk  specifically,  or  carry  their  own  disk  access 
routines,  thus  increasing  their  size  and  vulnerability  to 
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a  search  for  such  routines. 

To  keep  a  virus  from  gaining  control  of  your  pro- 
cessor, use  a  simple  level  of  encryption.    Read/write 
functions  of  the  operating  system  can  be  rewritten  to 
encompass  a  decrypt/encrypt  function  using  a  one- 
time pad  or  fast  knapsack  trapdoor-type  cipher.   This 
prompts  for  the  key,  or  takes  the  key  from  a  file 
whose  name  is  changed  at  each  load  with  the  file- 
name prompted  for,  rendering  lam- 
prey-type 'salami'  viruses  useless.   If                — ■"■■■ 
a  stored  and  encrypted  file  is  modi- 
fied by  a  virus,  it  will  be  obvious  at 
load  time.   The  decryption  function 
would  make  the  program  executable 
again  while  encrypting  the  virus, 
making  it  an  unexecutable  section  of 
programming  which  will  crash  on 
entry.   A  sophisticated  virus  could  at- 
tempt to  simulate  a  decryption 
prompt,  but,  once  again,  this  elabo- 
ration will  open  the  virus  to  detec-      ma^mm 

tion.   Virus-breeders  can  be  placed 
between  this  rock  and  that  hard 
place:   small  undetectable  viruses  can't  counter- 
maneuver,  and  larger  wilier  viruses  become  detecta- 
ble. 

THE  KINDLY  ONES 

There  are  beneficial  uses  for  computer  viruses  as 
well.   Viruses  can  be  written  to  'tail  chase'  known  vi- 
ruses and  deactivate  them,  thus  removing  the  necessi- 
ty for  constant  checking  with  customized  anti-viral 
programs.   Viruses  are  utilizable  for  computer  security 
(and  copy  protection,  a  direction  I  hope  they  do  not 
take)  with  telecommunications.   A  user  calling  a  com- 
puter could  be  sent  a  virus  with  a  time  coded  one- 
time pad  cipher  which  will  handle  all  communications 
traffic  between  the  computer  and  the  remote  site.   Af- 
ter the  session  is  completed,  the  virus  erases  itself  and 
any  storage  utilized.   The  security  of  such  a  technique 
lies  in  the  encrypted  communications  channel,  and  the 
unwillingness  of  an  unauthorized  user  to  abdicate 
control  to  a  potentially  hostile  program  which  has  the 
ability  to  disallow  certain  functions  from  the  remote 
site  itself. 

Most  importantly,  viruses  and  viral  theory  (with 
overlaps  into  cellular  automata)  have  direct  applica- 
tion to  the  field  of  artificial  intelligence,  especially 
since  they  could  be  used  as  the  control  mechanism 
and  computational  engine  for  massively  parallel  com- 
puters such  as  the  Connection  Machine.   As  viruses 
are  object-oriented  autonomously-operating  systems 


Viral  triggers 

can  be  smarter. 

A  virus  can 

be  subtle.  A 

virus  can  always 

wait... 


with  computational  power,  and  could  be  self- 
organizing  in  a  neural  network  fashion  (the  viruses 
replicate  and  die  in  accord  with  the  need  for  proces- 
sor control),  they  should  be  exploited  as  simply  anoth- 
er tool  of  computational  theory.   Communication  be- 
tween viruses/processors  would  be  achieved  by 
tapeworms,  which  are  inherently  packet-switched  and 
goal/destination-oriented.   These  techniques  will  work 

with  modern  Von  Neumann  bus  ar- 
■■■■■ chitecture,  but  are  more  directly  ap- 
plicable towards  optical  communica- 
tion pathways  (see  figure  9).   While  a 
great  deal  of  the  focus  on  viruses  has 
been  negative  due  to  the  damage 
they  can  do,  I  see  them  as  the  next 
generation  of  programming,  designed 
for  parallel  decentralized  processing. 


LIKE  HAVING  BEES  IN  YOUR 
HEAD...BUT  THERE  THEY  ARE! 

^■■■h The  desire  to  create  viruses  has 

been  caused  largely  by  an  environ- 
mental change  in  the  software/ 
hardware  industry.  While  the  software  industry  has 
moved  away  from  'copy  protection',  a  corresponding 
opening  of  hardware  and  the  operating  systems  has 
not  followed.  The  computer  industry  is  now  being 
forced  to  choose  between  implementing  entirely 
'closed'  systems  with  ROM  DOS's  and  little  usefulness 
(and  hence  marketability),  or  allowing  diverse,  non- 
standardized,  well-documented  operating  systems  with 
'open'  architecture. 

A  final  word:   computer  viruses  do  exist  and  are 
active.   It  will  take  a  great  deal  of  luck  to  find  them 
and  stop  them,  as  they  have  already  infected  compil- 
ers, in-house  software  tools,  and  archived  files.   The 
potential  effects  of  military  viruses  are  staggering.   In- 
ternational funds  transfers  are  in  jeopardy,  missile  and 
code-breaking  computers  won't  function  when  they 
receive  their  orders,  and  projects  like  SDI  will  never 
work  (millions  of  lines  of  code  are  impossible  to 
search  for  a  bug,  let  alone  a  virus).  The  industry  and 
other  potential  targets  are  at  the  stage  of  'damage  con- 
trol':  attempting  to  minimize  the  effects  when  the  vi- 
ruses are  triggered. 

Ignoring  the  problem  won't  make  it  go  away.   In 
essence,  the  creators  of  viruses  can  declare  the  game 
over,  with  themselves  as  the  winners.   Either  the  com- 
puter industry  will  suffer  enormous  losses,  or  comput- 
ers and  software  will  open  back  up,  a  major  benefit  to 
all. 
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